Imagine a group of undersea divers. They are swimming in the ocean doing some sort of productive activity, maybe retrieving treasure, or doing research, or something else. The divers receive instructions from managers in a boat.
Suddenly one of the divers is attacked by a shark. It tears right through his diving suit. There's blood in the water. The managers see the blood but tell the divers to keep doing their work. The injured diver attracts other sharks. Now the other divers are being attacked. The managers tell the divers to keep working.
It's a disaster. Divers are severely injured, and some are dying. In the boat some generalist first responders see the blood, and recommend putting the divers in protective cages. They aren't sure exactly what is happening so they fall back on the standard operating procedures.
A few of the divers seek shelter in the cages. Now the managers are howling that the divers aren't doing their work. They want the divers sent back out.
The generalist first responders don't know what to do. They ask if anyone else in the boat can help. Some specialist responders lower a camera into the water and see sharks eating divers. They tell the managers to pull the divers out.
The managers concede that the sharks are a problem but they want some sort of customized response for each injury. Can't we assess each diver, identify the damage, apply some bandages, and keep the work going?
This debate rages for hours, far too long in the opinion of everyone involved. More and more divers are hurt, the sharks continue to swarm, and no one is happy.
Let's explain this story.
- The divers are computers.
- The sharks are intruders, possibly even malware.
- Dying divers are computers whose data is being denied, degraded, or stolen by intruders.
- The managers are managers, or asset owners.
- The generalist first responders operate anti-malware software.
- The diving suit is anti-malware software in a default configuration.
- The cage is anti-malware software operated in a more aggressive configuration.
- Getting divers out of the water means isolating a compromised computer from the network.
- The specialist first responders are the incident response team.
- The camera lowered into the water is an investigation of the malware by the IR team.
My question is: how should this scenario have played out? I have a few recommendations:
- If you're going to swim in shark-infested waters, be resistant to shark attack, not ignorant of shark attack. Realize sharks are everywhere and prepare your defenses appropriately.
- If you're attacked by sharks, and your defenses fail, your first priority is to try to save the first victim.
- The second priority is to protect the rest of the divers so they can continue their mission.
- The priority should not be to keep everyone performing their mission, because it ignores the risk of the first diver dying (data loss, etc.) and the risk of exposing the other divers to attack (propagation of the malware).
- The fastest way to accomplish both priorities is to have a pre-approved incident response plan, with provisions for getting divers out of the water. This can involve an approval process where managers are told the situation and asked for approval to disconnect the victim. The difference between this process and what happened in the story is that the debate centers on whether or not to implement containment, not what should be done in general.
- Managers have to realize that they can't put vulnerable divers in the water and expect no negative consequences when they are attacked. Either spend resources up front to better protect the assets, or act quickly and decisively once trouble happens. Trying to plough on whatever the situation descends into lengthy and costly chaos.
I'm curious if anyone else has thoughts on this. I am interested in cases where the threat is fairly common (i.e., not advanced threats), so there is little to be gained by trying to learn more by observing the adversary.